FreeBSD Bugzilla – Attachment 238347 Details for
Bug 267944
free() of uninitialized pointer from kadmind_dispatch() and ret_principal_ent()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
The patch.
0001-heimdal-Fix-uninitialized-pointer-dereference.patch (text/plain), 1.58 KB, created by
Cy Schubert
on 2022-11-25 23:35:59 UTC
(
hide
)
Description:
The patch.
Filename:
MIME Type:
Creator:
Cy Schubert
Created:
2022-11-25 23:35:59 UTC
Size:
1.58 KB
patch
obsolete
>From e7a7993a18006301b27474ac15d132a52cdf7320 Mon Sep 17 00:00:00 2001 >From: Cy Schubert <cy@FreeBSD.org> >Date: Fri, 25 Nov 2022 15:29:14 -0800 >Subject: [PATCH] heimdal: Fix uninitialized pointer dereference > >krb5_ret_preincipal() returns a non-zero return code when >a garbage principal is passed to it. Unfortunately ret_principal_ent() >does not check the return code, with garbage pointing to what would >have been the principal. This results in a segfault when free() is >called. > >PR: 267944 >Reported by: Robert Morris <rtm@lcs.mit.edu> >MFC after: 3 days >--- > crypto/heimdal/lib/kadm5/marshall.c | 13 +++++++------ > 1 file changed, 7 insertions(+), 6 deletions(-) > >diff --git a/crypto/heimdal/lib/kadm5/marshall.c b/crypto/heimdal/lib/kadm5/marshall.c >index fa7388b692fe..292cdf6107e8 100644 >--- a/crypto/heimdal/lib/kadm5/marshall.c >+++ b/crypto/heimdal/lib/kadm5/marshall.c >@@ -187,9 +187,9 @@ ret_principal_ent(krb5_storage *sp, > int i; > int32_t tmp; > >- if (mask & KADM5_PRINCIPAL) >- krb5_ret_principal(sp, &princ->principal); >- >+ if (mask & KADM5_PRINCIPAL) >+ if (krb5_ret_principal(sp, &princ->principal)) >+ return EINVAL; > if (mask & KADM5_PRINC_EXPIRE_TIME) { > krb5_ret_int32(sp, &tmp); > princ->princ_expire_time = tmp; >@@ -208,9 +208,10 @@ ret_principal_ent(krb5_storage *sp, > } > if (mask & KADM5_MOD_NAME) { > krb5_ret_int32(sp, &tmp); >- if(tmp) >- krb5_ret_principal(sp, &princ->mod_name); >- else >+ if(tmp) { >+ if (krb5_ret_principal(sp, &princ->mod_name)) >+ return EINVAL; >+ } else > princ->mod_name = NULL; > } > if (mask & KADM5_MOD_TIME) { >-- >2.38.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 267944
:
238276
| 238347 |
238354